The Cloud Hopper Lesson: Cloud Security Is Not Enough
Moving to the cloud is supposed to make everything better. Costs go down, efficiency goes up, and collaboration gets easier.
Security is supposed to be easier, too. Cloud providers and managed service providers offer streamlined architecture, up-to-date systems, and economies of scale that let them devote more resources to security than their customers could afford on their own. However, as the massive Cloud Hopper breach has shown, cloud-based security is not a complete answer.
The cloud as an attack vector
Though new details are still coming to light, it's clear that Cloud Hopper was one of the most significant breaches of the last decade. A group of hackers—apparently connected with the Chinese government—infiltrated many of the world's largest cloud service providers, and used those providers' networks as launching pads for attacks on the cloud providers' customers.
Cloud Hopper has drawn renewed attention after a recent investigation from the Wall Street Journal revealed that the attacks were even more severe than previously reported. The Chinese hackers were able to steal data from cloud customers over a period of several years—even after their presence had been detected—and seem to have been especially interested in stealing intellectual property. Targeted companies include defense contractors, electronics firms, and other organizations with high-value trade secrets.
The attack methodology highlights one of the tradeoffs that comes with moving sensitive data to the cloud. Cloud providers may be better equipped than other organizations to prevent a data breach, but when something does go wrong in the cloud, hackers can gain access to the secrets of dozens or hundreds of companies all at once.
Securing high-value data
Nothing—not even a data breach as bad as Cloud Hopper—is going to slow down the worldwide move to the cloud. The benefits of cloud services are too obvious and compelling to let anything get in the way. But the attack serves as a reminder that organizations need to demand rigorous protection from their cloud providers, and take extra care when storing highly sensitive data in the cloud.
As a foundational step, organizations should be sure that their cloud providers and managed service providers are encrypting the data they manage. Most providers offer encryption for data at rest and in transit, with varying levels of sophistication. For top-secret data, however, the best approach for organizations is to encrypt data themselves, using a "hold your own key" (HYOK) approach, before it travels to the cloud in the first place.
HYOK encryption lets cloud customers, not service providers, control access to sensitive data. If the Cloud Hopper thieves stole data that had been encrypted before it moved to the cloud—with a key that the cloud provider could not access—the stolen data would be useless, because the thieves would have no chance of decrypting it.
HYOK encryption can get in the way of some cloud workflows, especially ones that involve online collaboration, so it may not be right for every use case. But for intellectual property and other highly-sensitive data, it offers the highest level of protection against attacks from foreign governments and other sophisticated data thieves. Based on the success of Cloud Hopper, it's certain that other hackers are already launching their own attacks from inside the cloud today.